This chapter covers the principles of the defense-in-depth strategy and compares and contrasts the concepts of risk, threats, vulnerabilities, and exploits. This chapter also defines what are threat actors, run book automation (RBA), chain of custody (evidentiary), reverse engineering, sliding window anomaly detection, Personally Identifiable Information (PII), Protected Health Information (PHI), as well as what is the principle of least privilege, and how to perform separation of duties. It also covers concepts of risk scoring, risk weighting, risk reduction, and how to perform overall risk assessments.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in this chapter’s topics. The 11-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. You can find the answers in Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Questions.

Table 3-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.

You can deploy advanced malware protection to detect and block advanced persistent threats.

You can configure firewall failover in a scalable way.

Even if a single control (such as a firewall or IPS) fails, other controls can still protect your environment and assets.

You can configure intrusion prevention systems (IPSs) with custom signatures and auto-tuning to be more effective in the network.

Which of the following planes is important to understand for defense in depth?

Management plane

Failover plane

Control plane

Clustering

User/data plane

Services plane

Which of the following are examples of vulnerabilities?

Advanced threats

CVSS

SQL injection

Command injection

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

What is the Common Vulnerabilities and Exposures (CVE)?

An identifier of threats

A standard to score vulnerabilities

A standard maintained by OASIS

A standard for identifying vulnerabilities to make it easier to share data across tools, vulnerability repositories, and security services

Which of the following is true when describing threat intelligence?

Threat intelligence’s primary purpose is to make money by exploiting threats.

Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats.

With threat intelligence, threat actors can become more efficient to carry out attacks.

Threat intelligence is too difficult to obtain.

Which of the following is an open source feed for threat data?

Cyber Squad ThreatConnect

BAE Detica CyberReveal

MITRE CRITs

Cisco AMP Threat Grid

What is the Common Vulnerability Scoring System (CVSS)?

A scoring system for exploits.

A tool to automatically mitigate vulnerabilities.

A scoring method that conveys vulnerability severity and helps determine the urgency and priority of response.

A vulnerability-mitigation risk analysis tool.

Which of the following are examples of personally identifiable information (PII)?

Social security number

Biological or personal characteristics, such as an image of distinguishing features, fingerprints, x-rays, voice signature, retina scan, and geometry of the face

CVE

Date of birth

Which of the following statements are true about the principle of least privilege?

Principle of least privilege and separation of duties can be considered to be the same thing.

The principle of least privilege states that all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their job, and no more.

Programs or processes running on a system should have the capabilities they need to “get their job done,” but no root access to the system.

The principle of least privilege only applies to people.

What is a runbook?

A runbook is a collection of processes running on a system.

A runbook is a configuration guide for network security devices.

A runbook is a collection of best practices for configuring access control lists on a firewall and other network infrastructure devices.

A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators.

Chain of custody is the way you document and preserve evidence from the time you started the cyber forensics investigation to the time the evidence is presented at court. Which of the following is important when handling evidence?

Documentation about how and when the evidence was collected

Documentation about how evidence was transported

Documentation about who had access to the evidence and how it was accessed